RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
You can add this to your guide and perhaps a little explanation: Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys George -Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NI
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
You can add this to your guide and perhaps a little explanation: Add this to your JAVA_OPTS: -Dorg.bouncycastle.rsa.allow_multi_use=true Otherwise you're doomed to run into weird random and failures depending on what cipher suite your browser and server agree on which believe me, combined with the BCFIPS's atrocious logging levels can be quite hard to troubleshoot. But if you enable that...well technically you break out of FIPS compliance. The other option is to remove all RSA-based suites from your server's list so you don't run into the issue or always run with DSA keys George -Original Message- From: George Stanchev Sent: Thursday, December 03, 2020 7:59 PM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the N
RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL?
Java's FIPS mode is "expirmental" feature that was removed in later Java versions. It was never certified (AFAIK). To me the only two viable options are via APR+OpenSSL 1.0.1/FIPS and BCFIPS. We have implemented the later and have ran into issues with RSA keys. First the C# BCPROV doesn't support 4096 bit RSA keys (I know weird, but our config app is C# and we use BCFIPS/C# there) but that's OK, you can use Windows CNG or CAPI but of course you have to put the whole Windows in FIPS which is not prarctical all the time. But second, and most important BCFIPS implements stricter FIPS requirement that an RSA key cannot be used for both encipherment and signature and BCFIPS really tracks the usage. This, combined with the fact that Tomcat (8.5.someting about an year ago) doesn't really support multiple keys for SSL that can be dynamically selected really leaves you with only DSA key. Now, BC does support a system property to disable this FIPS requirement but now you are not FIPS compliant, strictly speaking. Which, as FIPS-compliancy goes, might or might not be a problem as it is really a self-reporting. Also, no way to get PKCS12 keystores in FIPS mode so you're stuck with BCKFS or PEMs. George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:31 AM To: Tomcat Users List ; Avik Ray Subject: RE: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, Did you happen to try out the steps in README https://github.com/amitlpande/tomcat-9-fips here? I am looking for feedback from the community before I could add these steps (and some more) on Tomcat Security FAQ page. So, really appreciate your (and others') feedback. The steps above rely purely on JSSE and JCA/JCE providers, no OpenSSL use. These steps will enable a plain vanilla Tomcat to run in FIPS compliant mode. And as Chris mentioned below, we need to ensure any web app deployed within the Tomcat use FIPS compliant constructs. Thanks, Amit -Original Message- From: Christopher Schultz Sent: Friday, November 6, 2020 3:40 PM To: Tomcat Users List ; Avik Ray Subject: [EXTERNAL] Re: Can Tomcat 9 be FIPS compliant without OpenSSL? Avik, On 11/6/20 14:50, Avik Ray wrote: > Thanks a lot Anil for the detailed readme, and Martin for pointing me to it. > > We have done most of these configs. Are these steps sufficient to > ensure that all incoming and outgoing TLS connections are FIPS compliant? This isn't something that the Tomcat community can really comment on. If you have a requirement to be FIPS-compliant, then you will need to evaluate whether of not you have met that requirement yourself. > Or is there also a need to compile an APR connector with an underlying > implementation of openssl? You do not NEED to do this, but it is a possibility that will allow you to definitely put the crypto engine into "FIPS mode". > Is the APR approach just an alternative to the JSSE approach covered > in Anil's readme, and both hold equally good to be FIPS compliant? Theoretically, yes. It's also possible, I believe, to make The Sun/Oracle JSSE provider FIPS compliant. Hmm maybe not: https://stackoverflow.com/a/5047855/276232 (FYI Stephen Colebourne tends to know what he's talking about.) It's a little unclear to me whether or not this is possible, while OpenSSL has very good documentation for how to build a FIPS-compliant binary library and then put it in the right mode. How FIPS-compliant do you actually need to be? It's pretty trivial to make sure that you support certain algorithms, etc. and that you disable other ones. FIPS, however, technically requires that you enable certain algorithms that really should no longer be used. These days, strict FIPS compliance is IMHO a risk to be avoided. -chris > On Fri, 6 Nov, 2020, 12:51 Martin Grigorov, wrote: > >> Hi, >> >> On Fri, Nov 6, 2020 at 8:57 AM Avik Ray wrote: >> >>> Dear team, >>> Sending this query again after subscribing to the mailing list. Sent >>> it originally 3 days back, but just saw an error response in the >>> spam folder asking to subscribe first. >>> >>> We are using Tomcat 9.0.37 x64 on Windows Server 2016 OS and the NIO >>> connector with JSSE, without an underlying OpenSSL. >>> >>> As per Tomcat 9 docs, the only mention of FIPS compliant operation I >>> see is in the config of APR lifecycle listener, with the expectation >>> of an underlying OpenSSL implementation that can be set to FIPS >>> enabled mode. Ref: >>> https://tomcat.apache.org/tomcat-9.0-doc/config/listeners.html >>> >>> Is it possible to be FIPS compliant with the usage of Tomcat, >>> without the above setting? We were thinking of using BouncyCastle >>> FIPS as the underlying Java crypto provider instead of OpenSSL for >>> multiple reasons. >>> >>> Are there any other dependencies Tomcat has on the underlying stack, >>> besides that provided by a Java crypto provider like BC-FIPS, having >>> a bearing on FIPS compliance? >>> >
RE: Bouncy Castle FIPS on RHEL 7.3
Hi Amit, Consider changing "securerandom.strongAlgorithms" to "NativePRNGNonBlocking:SUN" in your Java's "lib\security\java.security". The default is "NativePRNGBlocking:SUN" and is really enthropy thirsty on startup as it runs it's self tests and seeds its PRNG George -Original Message- From: Amit Pande Sent: Tuesday, November 24, 2020 9:22 AM To: Tomcat Users List Subject: Bouncy Castle FIPS on RHEL 7.3 Probably not directly related to Tomcat but still sharing. Advanced apologies for that. I am using bouncy castle FIPS library and observed that specifically on RHEL 7.3, the library usage is causing tremendous slowness. e.g. below key tool command taking several minutes to finish. keytool -providerpath /root/Downloads/bc-fips-1.0.2.jar -providerclass org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider -genkeypair -keyalg RSA -keypass "Test123" -validity 3650 -dname "CN=Test_HostName, ou=My Org Unit, o=My Org" -storepass "Test123" -keystore "/tmp/test_bc.bcfks" -storetype BCFKS -v -alias test_entry However, when I add the JVM option -J-Djava.security.egd=file:/dev/./urandom instead of the default /dev/random, all problems go away. It's rather strange that multiple 7.3 RHEL systems are showing this behavior very consistently. RHEL 7.2, 8.0 seem just fine in my testing. No issues when using /dev/random along with JKS type key stores (including RHEL 7.3). Even Tomcat is flagging the slowness to generate the secure random numbers. "17-Nov-2020 19:24:59.142 WARNING [Catalina-utility-2] org.apache.catalina.util.SessionIdGeneratorBase.createSecureRandom Creation of SecureRandom instance for session ID generation using [SHA1PRNG] took [68,745] milliseconds." Apparently, according to FIPS experts we should not use /dev/./urandom. So, while I continue to explore further, sharing this in case any one has seen this behavior or be aware of such potential issue as it may tie in to their Tomcat (or web apps to be deployed in Tomcat). Thanks, Amit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: embedded tomcat and context.xml
Again, much appreciated feedback. (I never think what I'm doing is all
that special)
Though two concurrent users would really be "wildly successful", each of
those users will fire up hundreds (thousands if we get
permission/capacity) of EC2 instances and start pounding the db, so I
think connection pooling is in order.
I contemplated managing my own pools but didn't want
- the hassle of resetting the "search_path" for each connection if I
used a single (initial) user (if I stuck with the tomcat pooler)
- the overhead in terms of both my own code and actual resource
consumption(minimum connection held etc)
so I switched to the dbcp2 PerUserPoolDataSourceFactory in the hope that
the lookup for an available connection happens after I reset the user/db
(Recall that with postgres a db is just part of the same physical
server, of which there will be only one and for me a user is associated
with only one database.)
Really great to hear that lookup() is not my biggest concern;)
Thanks again,
rjs
On 12/3/20 3:18 PM, Christopher Schultz wrote:
Rob,
On 12/3/20 11:03, Rob Sargent wrote:
Thanks for you time. Your response goes a long way to explaining why
there is so little specific information on embedding tomcat.
Only programmers are interested in using embedded Tomcat, so having
"Tomcat Embedded For Dummies" isn't terribly useful. (I don't mean to
be insulting; I'm just trying to get my point across about
"intro-level" content regarding Tomcat as an embedded product.)
Embedding Tomcat into a product is done precisely because the standard
deployment model (which lends itself to system admins who don't really
need to know anything about Java programming) isn't sufficient for
some special-case. Indeed, every Tomcat embedded instance is by
definition a special-case so guides for "doing it" don't exist since
nobody else knows exactly what you are trying to do.
Really, just as I said. I had convinced myself from several items
encountered on the web that an embedded tomcat instance would not
read the standard conf/*.xml. If I hit any of those pages again I
will react (either on the page or perhaps post here, if that would be
appropriate).
The best references for behavior of the Tomcat class would be:
1. The Tomcat javadoc
and
2. The source code for the Tomcat class
It's fairly readable, but most everything you need to read is in the
Javadoc.
TL/DR: at heart I’m struggling with the proper initialization and
consumption of the dbpc2 datasource which I add programmatically and
might consider using the context.xml version.
Unless there is a particularly good reason not to use it, I would
recommend using META-INF/context.xml. There are some really great
reasons not to do that. For example, if you want to fetch your DBCP
configuration from Kubernetes and then use that to
dynamically-configure DBCP, then you'll probably have to forego
XML-based configuration.
A litany of small issues: >
My @Resource(name, type) Datasource ds” doesn’t take (I have several
more attempts planned)
Ooh. I tend to avoid @Annotations and I'm not really sure how that one
works, anyway. I'm not a good resource, here.
Is that failure logged?
Dunno.
Is context.lookup() expensive?
No. Tomcat's implementation of JNDI contexts isn't much more
complicated than a HashMap. In some other EE containers,
context.lookup() might indeed be expensive.
Is there any configuration available only in xml?
I don't know for sure, but I suspect not. The XML configuration uses
the commons-digester to call setFoo("bar") for each foo="bar"
attribute on the , so I don't think there is anything in
there what couldn't be done 100% in Java code. You might have to
dig-around a little to find the default implementations of various
things (like DataSource/DataSourceFactory) but that shouldn't be too
tough.
DriverManager is working fine but it that the best access to the
DataSource, which I need to be able to change the current database
(in a postgres sense)
Do you need to change the user after container-initialization, like
potentially for any given request? Is there anything wrong with
registering multiple database pools and then selecting the right one
depending upon the effective user during the request?
Maybe you don't even want a connection pool. I remember you saying
you'd be wildly successful if you had 2 users per day or something
like that.
-chris
On Dec 3, 2020, at 8:06 AM, Christopher Schultz
wrote:
Rob,
On 12/2/20 13:31, Rob Sargent wrote:
I'm old and easily confused: does an embedded tomcat server read
(any) context.xml file? I find conflicting answers /out there./
Using tomcat 9.0.40
embeddedTomcat =new Tomcat();
embeddedTomcat.setPort(tomcatPort);
embeddedTomcat.enableNaming();
embeddedTomcat.getConnector();// an init, really String
contextRootPath =System.getenv("CATALINA_HOME");
Context contextTomcat =embeddedTomcat.addContext("",new
File(co
Re: embedded tomcat and context.xml
Rob,
On 12/3/20 11:03, Rob Sargent wrote:
Thanks for you time. Your response goes a long way to explaining why
there is so little specific information on embedding tomcat.
Only programmers are interested in using embedded Tomcat, so having
"Tomcat Embedded For Dummies" isn't terribly useful. (I don't mean to be
insulting; I'm just trying to get my point across about "intro-level"
content regarding Tomcat as an embedded product.)
Embedding Tomcat into a product is done precisely because the standard
deployment model (which lends itself to system admins who don't really
need to know anything about Java programming) isn't sufficient for some
special-case. Indeed, every Tomcat embedded instance is by definition a
special-case so guides for "doing it" don't exist since nobody else
knows exactly what you are trying to do.
Really, just as I said. I had convinced myself from several items
encountered on the web that an embedded tomcat instance would not
read the standard conf/*.xml. If I hit any of those pages again I
will react (either on the page or perhaps post here, if that would be
appropriate).
The best references for behavior of the Tomcat class would be:
1. The Tomcat javadoc
and
2. The source code for the Tomcat class
It's fairly readable, but most everything you need to read is in the
Javadoc.
TL/DR: at heart I’m struggling with the proper initialization and
consumption of the dbpc2 datasource which I add programmatically and
might consider using the context.xml version.
Unless there is a particularly good reason not to use it, I would
recommend using META-INF/context.xml. There are some really great
reasons not to do that. For example, if you want to fetch your DBCP
configuration from Kubernetes and then use that to dynamically-configure
DBCP, then you'll probably have to forego XML-based configuration.
A litany of small issues: >
My @Resource(name, type) Datasource ds” doesn’t take (I have several more
attempts planned)
Ooh. I tend to avoid @Annotations and I'm not really sure how that one
works, anyway. I'm not a good resource, here.
Is that failure logged?
Dunno.
Is context.lookup() expensive?
No. Tomcat's implementation of JNDI contexts isn't much more complicated
than a HashMap. In some other EE containers, context.lookup() might
indeed be expensive.
Is there any configuration available only in xml?
I don't know for sure, but I suspect not. The XML configuration uses the
commons-digester to call setFoo("bar") for each foo="bar" attribute on
the , so I don't think there is anything in there what
couldn't be done 100% in Java code. You might have to dig-around a
little to find the default implementations of various things (like
DataSource/DataSourceFactory) but that shouldn't be too tough.
DriverManager is working fine but it that the best access to the
DataSource, which I need to be able to change the current database
(in a postgres sense)
Do you need to change the user after container-initialization, like
potentially for any given request? Is there anything wrong with
registering multiple database pools and then selecting the right one
depending upon the effective user during the request?
Maybe you don't even want a connection pool. I remember you saying you'd
be wildly successful if you had 2 users per day or something like that.
-chris
On Dec 3, 2020, at 8:06 AM, Christopher Schultz
wrote:
Rob,
On 12/2/20 13:31, Rob Sargent wrote:
I'm old and easily confused: does an embedded tomcat server read (any)
context.xml file? I find conflicting answers /out there./
Using tomcat 9.0.40
embeddedTomcat =new Tomcat();
embeddedTomcat.setPort(tomcatPort);
embeddedTomcat.enableNaming();
embeddedTomcat.getConnector();// an init, really String contextRootPath
=System.getenv("CATALINA_HOME");
Context contextTomcat =embeddedTomcat.addContext("",new File(contextRootPath
+"/sgs").getAbsolutePath());
I know it is finding WEB-INF/web.xml (under "sgs") and finds all my servlets,
none of which are named in the web.xml.
Tomcat should be reading your web application's META-INF/context.xml file, if
one exists.
If you call Tomcat.init(), it will attempt to locate the default
conf/server.xml, conf/web.xml, and conf/context.xml based upon your
configuration source.
What are you /really/ asking?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up
CVE-2020-17527 Apache Tomcat HTTP/2 Request header mix-up Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.0-M9 Apache Tomcat 9.0.0.M5 to 9.0.39 Apache Tomcat 8.5.1 to 8.5.59 Description: While investigating Bug 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests. Mitigation: - Upgrade to Apache Tomcat 10.0.0-M10 or later - Upgrade to Apache Tomcat 9.0.40 or later - Upgrade to Apache Tomcat 8.5.60 or later Credit: This issue was identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-10.html [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: embedded tomcat and context.xml
Chris,
Thanks for you time. Your response goes a long way to explaining why there is
so little specific information on embedding tomcat.
Really, just as I said. I had convinced myself from several items encountered
on the web that an embedded tomcat instance would not read the standard
conf/*.xml. If I hit any of those pages again I will react (either on the page
or perhaps post here, if that would be appropriate).
TL/DR: at heart I’m struggling with the proper initialization and consumption
of the dbpc2 datasource which I add programmatically and might consider using
the context.xml version. A litany of small issues:
My @Resource(name, type) Datasource ds” doesn’t take (I have several more
attempts planned)
Is that failure logged?
Is context.lookup() expensive?
Is there any configuration available only in xml?
DriverManager is working fine but it that the best access to the DataSource,
which I need to be able to change the current database (in a postgres sense)
> On Dec 3, 2020, at 8:06 AM, Christopher Schultz
> wrote:
>
> Rob,
>
> On 12/2/20 13:31, Rob Sargent wrote:
>> I'm old and easily confused: does an embedded tomcat server read (any)
>> context.xml file? I find conflicting answers /out there./
>> Using tomcat 9.0.40
>>embeddedTomcat =new Tomcat();
>>embeddedTomcat.setPort(tomcatPort);
>>embeddedTomcat.enableNaming();
>>embeddedTomcat.getConnector();// an init, really String contextRootPath
>> =System.getenv("CATALINA_HOME");
>>Context contextTomcat =embeddedTomcat.addContext("",new
>> File(contextRootPath +"/sgs").getAbsolutePath());
>> I know it is finding WEB-INF/web.xml (under "sgs") and finds all my
>> servlets, none of which are named in the web.xml.
>
> Tomcat should be reading your web application's META-INF/context.xml file, if
> one exists.
>
> If you call Tomcat.init(), it will attempt to locate the default
> conf/server.xml, conf/web.xml, and conf/context.xml based upon your
> configuration source.
>
> What are you /really/ asking?
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
Re: embedded tomcat and context.xml
Rob,
On 12/2/20 13:31, Rob Sargent wrote:
I'm old and easily confused: does an embedded tomcat server read (any)
context.xml file? I find conflicting answers /out there./
Using tomcat 9.0.40
embeddedTomcat =new Tomcat();
embeddedTomcat.setPort(tomcatPort);
embeddedTomcat.enableNaming();
embeddedTomcat.getConnector();// an init, really String
contextRootPath =System.getenv("CATALINA_HOME");
Context contextTomcat =embeddedTomcat.addContext("",new
File(contextRootPath +"/sgs").getAbsolutePath());
I know it is finding WEB-INF/web.xml (under "sgs") and finds all my
servlets, none of which are named in the web.xml.
Tomcat should be reading your web application's META-INF/context.xml
file, if one exists.
If you call Tomcat.init(), it will attempt to locate the default
conf/server.xml, conf/web.xml, and conf/context.xml based upon your
configuration source.
What are you /really/ asking?
-chris
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: ERR_CONNECTION_REFUSED
Tercio, On 11/30/20 10:38, Tercio Pedro wrote: I am a user of the Tomcat server, I need assistance in configuring the ssl certificate and port 443. I installed the ssl certificate but the site just opens on port 8443 I want to go to port 443, I already changed the port on the connector (server.xml), I already enabled the port on the firewall and when I try to open on port 443 I have the error: ERR_CONNECTION_REFUSED Can you please post the element(s) from your conf/server.xml file? My guess is that you have port="8443" and you need to do one of the following: 1. Set port="443" NOTE: This will only work on Windows, or if you use jsvc/authbind/setcap on *NIX environments 2. Use your firewall to re-wire incoming port 443 -> port 8443 This is done in different ways depending on OS and network setup -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Fetching connector from jmx by name
Fred, On 11/30/20 04:07, Fred Al wrote: Is it possible to put an identifier on a connector and use that identifier to retrieve the connector by identifier from JMX? No. You will need to use the connector's "computed" name. You could also enumerate all connectors and choose by some other criteria. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
